12/02/2004 - Added URL location for download of latest release of Symantec Windows LiveUpdate v2.6 and instruction on determining which version of Symantec LiveUpdate is running on the system.
Symantec is responding to an advisory issued concerning the potential for a minor denial of service (DoS) during a client's Symantec Windows LiveUpdate download from an actual or spoofed Symantec LiveUpdate server. In addition, the advisory states there is potential for a limited directory traversal vulnerability since Symantec Windows LiveUpdate fails to validate file path input during decompression of included file path data.
NOTE: Neither of these potential issues could be used to deploy malware or result in remote access to a client system.
Symantec Windows LiveUpdate 1.80.x, 1.90.x, 2.0.x, 2.5.x
The posted advisory states that Symantec's Windows LiveUpdate does not do proper size checking on downloaded archive zip files. This could potentially allow an external attacker, who has been able to spoof a Symantec LiveUpdate download site, or a hostile insider with privileged access to a valid LiveUpdate server to include an oversized zip file in the initial download package. Decompressing an overly large zip file could potentially consume all system resources resulting in a DoS condition on the client system. Killing the running Symantec LiveUpdate process or a system restart would clear the DoS. Additionally, according to the advisory, Symantec Windows LiveUpdate does not properly validate content in the file path of downloaded archive files. This could allow an attacker to modify the path in such a manner to download archive files to arbitrary locations on the targeted system.
The Symantec Windows LiveUpdate component is an essential piece of technology providing a method to deliver product and virus definition updates directly to the desktop, gateway or server.
Symantec engineers have thoroughly tested these issues. While it is potentially possible to do what the advisory states, there are some basic misunderstandings in the impact of as well as the ability to successfully accomplish this type of attack involving Symantec Windows LiveUpdate.
Symantec LiveUpdate servers, as are any servers, are potentially susceptible to misdirection, attacks. This is an Internet infrastructure problem, not only a Symantec problem. However, were such an attack to occur, only a very small percentage of a very large user base could potentially be impacted to any degree by a spoofing or misdirection attack since, by its very nature, such an attack would be limited to a local Internet area/region.
Symantec Windows LiveUpdate does not currently perform size validation on the initial download file. This initial file is a very small catalog file reflecting which installed Symantec applications have available updates. The zip library used by Symantec Windows LiveUpdate only extracts a specific subset of the content of the initial archive file downloaded so "redirecting" these files to locations other than their expected location would have minimal impact other than potential usability problems.
While Symantec considers the issues outlined in this reported advisory to be low-risk, and to have a low probability of occurrence Symantec considers the reports of possible vulnerabilities in any Symantec product to be very important. Symantec has released Symantec Windows LiveUpdate version 2.6 that adds additional capabilities to mitigate any potential actions of this nature.
Symantec verified this vulnerability does exist in the current supported versions of Automatic LiveUpdate shipped with many Symantec retail products. This issue is fixed in the latest release of Symantec Windows LiveUpdate v2.6.
Symantec Windows LiveUpdate 2.6 is available for download from the Symantec technical support site at http://www.symantec.com/techsupp/files/lu/lu.html.
To determine your version of Symantec LiveUpdate:
If you are running a version of Symantec LiveUpdate prior to v2.6, download Symantec Windows LiveUpdate v2.6 from the support site indicated above to upgrade your system to the latest version of Symantec Windows LiveUpdate v2.6. Upgrade may require a restart of your system to initialize the updated version.
- Open any Symantec product installed on your system that uses LiveUpdate, e.g., Symantec Norton AntiVirus 2005
- Click on LiveUpdate in the toolbar
- Click on the LiveUpdate system menu to see the drop-down selections
- Click on "About LiveUpdate" to see the version of LiveUpdate you are running
CVE candidate numbers will be requested from The Common Vulnerabilities and Exposures (CVE) initiative. This advisory will be revised as required once CVE candidate numbers have been assigned. These issues are candidates for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems.
Symantec takes the security and proper functionality of our products very seriously. As founding members of the Organization for Internet Safety (OISafety), Symantec supports and follows the principles of responsible disclosure. Symantec also subscribes to the vulnerability disclosure guidelines outlined by the National Infrastructure Advisory Council (NIAC).
Please contact firstname.lastname@example.org if you feel you have discovered a security issue in a Symantec product. A Symantec Product Security team member will contact you regarding your submission. Symantec strongly recommends using encrypted email for reporting vulnerability information to email@example.com. The Symantec Product Security PGP key can be found at the end of this message.
Symantec has developed a Product Vulnerability Response document outlining the process we follow in addressing suspected vulnerabilities in our products. This document is available below.
Copyright © by Symantec Corp.
Permission to redistribute this alert electronically is granted as long as it is not edited in any way unless authorized by Symantec Security Response. Reprinting the whole or part of this alert in any medium other than electronically requires permission from firstname.lastname@example.org.
The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.
Symantec, Symantec products, Symantec Security Response, and email@example.com are registered trademarks of Symantec Corp. and/or affiliated companies in the United States and other countries. All other registered and unregistered trademarks represented in this document are the sole property of their respective companies/owners.
Last modified on: Thursday, 02-Dec-04 14:44:42